1 files changed, 21 insertions, 4 deletions
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index d88e96d4e12c..56ba0f2a01db 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -977,6 +977,7 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
 {
        struct perf_event_query_bpf __user *uquery = info;
        struct perf_event_query_bpf query = {};
+        u32 *ids, prog_cnt, ids_len;
        int ret;
        if (!capable(CAP_SYS_ADMIN))
@@ -985,16 +986,32 @@ int perf_event_query_prog_array(struct perf_event *event, void __user *info)
                return -EINVAL;
        if (copy_from_user(&query, uquery, sizeof(query)))
                return -EFAULT;
-        if (query.ids_len > BPF_TRACE_MAX_PROGS)
+        ids_len = query.ids_len;
+        if (ids_len > BPF_TRACE_MAX_PROGS)
                return -E2BIG;
+        ids = kcalloc(ids_len, sizeof(u32), GFP_USER | __GFP_NOWARN);
+        if (!ids)
+                return -ENOMEM;
+        /*
+         * The above kcalloc returns ZERO_SIZE_PTR when ids_len = 0, which
+         * is required when user only wants to check for uquery->prog_cnt.
+         * There is no need to check for it since the case is handled
+         * gracefully in bpf_prog_array_copy_info.
+         */
        mutex_lock(&bpf_event_mutex);
        ret = bpf_prog_array_copy_info(event->tp_event->prog_array,
-                                       uquery->ids,
+                                       ids,
-                                       query.ids_len,
+                                       ids_len,
-                                       &uquery->prog_cnt);
+                                       &prog_cnt);
        mutex_unlock(&bpf_event_mutex);
+        if (copy_to_user(&uquery->prog_cnt, &prog_cnt, sizeof(prog_cnt)) ||
+            copy_to_user(uquery->ids, ids, ids_len * sizeof(u32)))
+                ret = -EFAULT;
+        kfree(ids);
        return ret;
 }

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index d88e96d4e12c..56ba0f2a01db 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c
@@ -977,6 +977,7 @@ int perf_event_query_prog_array(struct perf_event event, void __user info)
977	{	977	{
978	struct perf_event_query_bpf __user *uquery = info;	978	struct perf_event_query_bpf __user *uquery = info;
979	struct perf_event_query_bpf query = {};	979	struct perf_event_query_bpf query = {};
		980	u32 *ids, prog_cnt, ids_len;
980	int ret;	981	int ret;
981		982
982	if (!capable(CAP_SYS_ADMIN))	983	if (!capable(CAP_SYS_ADMIN))
@@ -985,16 +986,32 @@ int perf_event_query_prog_array(struct perf_event event, void __user info)
985	return -EINVAL;	986	return -EINVAL;
986	if (copy_from_user(&query, uquery, sizeof(query)))	987	if (copy_from_user(&query, uquery, sizeof(query)))
987	return -EFAULT;	988	return -EFAULT;
988	if (query.ids_len > BPF_TRACE_MAX_PROGS)	989
		990	ids_len = query.ids_len;
		991	if (ids_len > BPF_TRACE_MAX_PROGS)
989	return -E2BIG;	992	return -E2BIG;
		993	ids = kcalloc(ids_len, sizeof(u32), GFP_USER \| __GFP_NOWARN);
		994	if (!ids)
		995	return -ENOMEM;
		996	/*
		997	* The above kcalloc returns ZERO_SIZE_PTR when ids_len = 0, which
		998	* is required when user only wants to check for uquery->prog_cnt.
		999	* There is no need to check for it since the case is handled
		1000	* gracefully in bpf_prog_array_copy_info.
		1001	*/
990		1002
991	mutex_lock(&bpf_event_mutex);	1003	mutex_lock(&bpf_event_mutex);
992	ret = bpf_prog_array_copy_info(event->tp_event->prog_array,	1004	ret = bpf_prog_array_copy_info(event->tp_event->prog_array,
993	uquery->ids,	1005	ids,
994	query.ids_len,	1006	ids_len,
995	&uquery->prog_cnt);	1007	&prog_cnt);
996	mutex_unlock(&bpf_event_mutex);	1008	mutex_unlock(&bpf_event_mutex);
997		1009
		1010	if (copy_to_user(&uquery->prog_cnt, &prog_cnt, sizeof(prog_cnt)) \|\|
		1011	copy_to_user(uquery->ids, ids, ids_len * sizeof(u32)))
		1012	ret = -EFAULT;
		1013
		1014	kfree(ids);
998	return ret;	1015	return ret;
999	}	1016	}
1000		1017